Added an "admin" flag to users.

exhuma · May 28, 2014 · e54b889 · e54b889
1 parent a431544
commit e54b889
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 1 deletion.
diff --git a/alembic/versions/8faadcbeda5_simple_auth.py b/alembic/versions/8faadcbeda5_simple_auth.py
@@ -0,0 +1,22 @@
+"""simple-auth
+
+Revision ID: 8faadcbeda5
+Revises: 986ba0fc1c7
+Create Date: 2014-05-28 19:16:08.290579
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '8faadcbeda5'
+down_revision = '986ba0fc1c7'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade():
+    op.add_column('user', sa.Column('admin', sa.Boolean,
+                                    server_default='false'))
+
+def downgrade():
+    op.drop_column('user', 'admin')
diff --git a/lost_tracker/main.py b/lost_tracker/main.py
@@ -7,6 +7,7 @@
 from config_resolver import Config
 from flask.ext.login import (
     LoginManager,
+    current_user,
     login_required,
     login_user,
     logout_user,
@@ -325,6 +326,8 @@ def register():
 @app.route('/confirm')
 @app.route('/confirm/<key>')
 def confirm_registration(key):
+    if not current_user.admin:
+        return "Access denied", 401
     loco.confirm_registration(
         key,
         activation_url=url_for('accept_registration',
@@ -339,6 +342,8 @@ def confirm_registration(key):
 @app.route('/accept/<key>')
 @login_required
 def accept_registration(key):
+    if not current_user.admin:
+        return "Access denied", 401
     group = loco.get_grp_by_registration_key(key)
 
     if group.finalized:
@@ -353,6 +358,8 @@ def accept_registration(key):
 @app.route('/group/<id>', methods=['POST'])
 @login_required
 def save_group_info(id):
+    if not current_user.admin:
+        return "Access denied", 401
     group = loco.get_grps_by_id(id)
     if not group.finalized:
         loco.accept_registration(group.confirmation_key, request.form)
@@ -396,6 +403,8 @@ def logout():
 @app.route('/manage')
 @login_required
 def manage():
+    if not current_user.admin:
+        return "Access denied", 401
     groups = loco.get_grps()
     slots = loco.slots()
 
@@ -421,6 +430,8 @@ def manage():
 @app.route('/manage/table/<table>')
 @login_required
 def tabularadmin(table):
+    if not current_user.admin:
+        return "Access denied", 401
 
     if table not in MODIFIABLE_TABLES:
         return gettext('Access Denied'), 401
@@ -481,6 +492,8 @@ def tabularadmin(table):
 @app.route('/cell/<cls>/<key>/<datum>', methods=['PUT'])
 @login_required
 def update_cell_value(cls, key, datum):
+    if not current_user.admin:
+        return "Access denied", 401
 
     if cls not in MODIFIABLE_TABLES:
         return gettext('Access Denied'), 401
@@ -528,6 +541,8 @@ def update_cell_value(cls, key, datum):
 @app.route('/group/<group_name>/timeslot', methods=['PUT'])
 @login_required
 def set_time_slot(group_name):
+    if not current_user.admin:
+        return "Access denied", 401
     data = request.json
     if data['direction'] not in (mdl.DIR_A, mdl.DIR_B):
         return jsonify(
@@ -552,6 +567,8 @@ def group_tooltip(group_id):
 @app.route('/station', methods=['POST'])
 @login_required
 def add_new_station():
+    if not current_user.admin:
+        return "Access denied", 401
     data = request.json
     message = loco.add_station(
         data['name'],
@@ -564,6 +581,8 @@ def add_new_station():
 @app.route('/form', methods=['POST'])
 @login_required
 def add_new_form():
+    if not current_user.admin:
+        return "Access denied", 401
     data = request.json
     name = data['name']
     max_score = int(data['max_score'])
@@ -580,6 +599,8 @@ def add_new_form():
 @app.route('/group', methods=['POST'])
 @login_required
 def add_new_group():
+    if not current_user.admin:
+        return "Access denied", 401
     data = request.json
     grp_name = data['name']
     grp_contact = data['contact']
@@ -600,20 +621,26 @@ def add_new_group():
 @app.route('/group/<int:id>', methods=['DELETE'])
 @login_required
 def delete_group(id):
+    if not current_user.admin:
+        return "Access denied", 401
     loco.delete_group(id)
     return jsonify(status='ok')
 
 
 @app.route('/station/<int:id>', methods=['DELETE'])
 @login_required
 def delete_station(id):
+    if not current_user.admin:
+        return "Access denied", 401
     loco.delete_station(id)
     return jsonify(status='ok')
 
 
 @app.route('/form/<int:id>', methods=['DELETE'])
 @login_required
 def delete_form(id):
+    if not current_user.admin:
+        return "Access denied", 401
     loco.delete_form(id)
     return jsonify(status='ok')
 

diff --git a/lost_tracker/models.py b/lost_tracker/models.py
@@ -317,6 +317,7 @@ class User(Base):
     password = Column(Unicode(100))
     email = Column(Unicode(100))
     locale = Column(Unicode(2))
+    admin = Column(Boolean, default=False, server_default='false')
 
     def __init__(self, login, password, email):
         self.login = login

diff --git a/lost_tracker/templates/master.html b/lost_tracker/templates/master.html
@@ -45,7 +45,7 @@
 
       <span id="auth">
         {% if current_user.is_authenticated() %}
-          {{_('Logged in as:')}} {{current_user.name}} |
+        {{_('Logged in as:')}} {{current_user.name}}{{'*' if current_user.admin else ''}} |
           <a href="{{url_for('group_list')}}">{{_('List')}}</a> |
           <a href="{{url_for('matrix')}}">{{_('Matrix')}}</a> |
           <a href="{{url_for('manage')}}">{{_('Slot Editor')}}</a> |